diff --git a/main/conference/index.php b/main/conference/index.php
index d1e9d34671..42cb84f248 100755
--- a/main/conference/index.php
+++ b/main/conference/index.php
@@ -1,3 +1,12 @@
+
+
+
\ No newline at end of file
diff --git a/main/conference/liveconf.php b/main/conference/liveconf.php
deleted file mode 100755
index 28011a998b..0000000000
--- a/main/conference/liveconf.php
+++ /dev/null
@@ -1,29 +0,0 @@
-
-
-
-
-
diff --git a/main/webrooms/api.php b/main/webrooms/api.php
index 0a790c24c4..a0b4486862 100644
--- a/main/webrooms/api.php
+++ b/main/webrooms/api.php
@@ -1,58 +1,17 @@
0) error_log("setting SID to:".$_REQUEST["sid"]);
- session_id($_REQUEST["sid"]);
-}
+$presentation_extension = array('.ppt', '.odp');
+$image_extension = array ('.png', '.jpg', '.gif', '.jpeg');
if ($debug>0)
{
@@ -69,75 +28,70 @@ if ($debug>0)
}
-/*
-==============================================================================
- INCLUDE
-==============================================================================
-*/
+/*==== INCLUDE ====*/
require_once ('../inc/global.inc.php');
api_block_anonymous_users();
require_once (api_get_path(LIBRARY_PATH)."course.lib.php");
require_once (api_get_path(LIBRARY_PATH)."document.lib.php");
require_once (api_get_path(LIBRARY_PATH)."fileUpload.lib.php");
-/*
-==============================================================================
- SETTING UP SOME VARIABLES
-==============================================================================
-*/
-$debug=0;
-$action = $_REQUEST["action"];
-$cidReq = $_REQUEST["cidReq"];
+/*==== Variables initialisation ====*/
+$action = $_REQUEST["action"]; //safe as only used in if()'s
+$seek = array('/','%2F','..');
+$destroy = array('','','');
+$cidReq = str_replace($seek,$destroy,$_REQUEST["cidReq"]);
+$cidReq = Security::remove_XSS($cidReq);
$user_id = api_get_user_id();
$coursePath = api_get_path(SYS_COURSE_PATH).$cidReq.'/document';
$_course = CourseManager::get_course_information($cidReq);
-// FIXME: this sound very strange !!! but add_document need this to works
+// FIXME: add_document needs this to work
$_course['dbName'] = $_course['db_name'];
// FIXME: check if CourseManager::get_user_in_course_status return !=
// COURSEMANAGER when the code is not valid
-// FIXME: There is no valid course code which contains things like ../
if ($debug>0) error_log($coursePath, 0);
+if ($action == "uploadgui")
+{
+ echo '
+ ';
+ die();
+}
+else if ($action == "upload")
{
-/*
-==============================================================================
- PERMISSION
-==============================================================================
-*/
+ /*==== PERMISSION ====*/
$permissions = CourseManager::get_user_in_course_status($user_id, $cidReq);
if ($permissions != COURSEMANAGER)
{
if ($debug >0) error_log("Upload from videoconf not allowed !!!",0);
- die(); // this user is not allowed to add upload documents
+ die('Not allowed'); // this user is not allowed to add upload documents
}
-/*
-==============================================================================
- UPLOAD
-==============================================================================
-*/
-
+ /*==== UPLOAD ====*/
$destPath = $coursePath.VIDEOCONF_UPLOAD_PATH;
- if (!is_dir($destPath)){
+ if (!is_dir($destPath))
+ {
$result = create_unexisting_directory($_course,$user_id,0,NULL,$coursePath,VIDEOCONF_UPLOAD_PATH);
if (!$result)
+ {
if ($debug>0) error_log("Can't create ".$destPath." folder",0);
+ }
}
- $newPath = handle_uploaded_document($_course,$_FILES['Filedata'],$coursePath,VIDEOCONF_UPLOAD_PATH,$user_id,0,NULL,'',0,'rename',false);
+ $newPath = handle_uploaded_document($_course,$_FILES['filedata'],$coursePath,VIDEOCONF_UPLOAD_PATH,$user_id,0,NULL,'',0,'rename',false);
// based on ../newscorm/presentation.class.php
- $file_name = (strrpos($newPath,'.')>0 ? substr($newPath, 0, strrpos($newPath,'.')) : $newPath);
- $file_extension = (strrpos($newPath,'.')>0 ? substr($newPath, strrpos($newPath,'.'),10) : '');
-/* error_log($newPath,0);
- error_log($file_name,0);
- error_log($file_extension,0);
-*/
- if (in_array($file_extension, $PRESENTATION_EXTENSION))
+ $file_name = (strrpos($newPath,'.')>0 ? substr($newPath, 0, strrpos($newPath,'.')) : $newPath);
+ $file_extension = (strrpos($newPath,'.')>0 ? substr($newPath, strrpos($newPath,'.'),10) : '');
+ if (in_array($file_extension, $presentation_extension))
{
if ($debug > 0) error_log("converting $coursePath$newPath", 0);
/* creating output folder */
@@ -188,19 +142,20 @@ if ($action == "upload")
api_item_property_update($_course, TOOL_DOCUMENT, $did, 'DocumentAdded', $user_id, 0, NULL);
}
}
-} else if ($action == "service")
-{/*
-==============================================================================
- LIST FILES
-==============================================================================
-*/
+ echo '';
+}
+else if ($action == "service")
+{
+ /*==== List files ====*/
if ($debug>0) error_log("sending file list",0);
$subaction = $_REQUEST["subaction"];
- $canDelete = (CourseManager::get_user_in_course_status($user_id, $cidReq) == COURSEMANAGER);
- if ($subaction == "list") {
+ $can_delete = (CourseManager::get_user_in_course_status($user_id, $cidReq) == COURSEMANAGER);
+ if ($subaction == "list")
+ {
// FIXME: check security around $_REQUEST["cwd"]
$cwd = $_REQUEST["cwd"];
-
+ $is_bellow_videoconf_upload_path = Security::check_abs_path($cwd,api_get_path(SYS_PATH));
+ /*
// treat /..
$nParent = 0; // the number of /.. into the url
while (substr($cwd, -3, 3) == "/..")
@@ -219,77 +174,63 @@ if ($action == "upload")
// check if user can delete files. He must be manager and be inside /videoconf
$isBellowVideoConfUploadPath = (substr($cwd,0,strlen(VIDEOCONF_UPLOAD_PATH)) == VIDEOCONF_UPLOAD_PATH);
$canDelete = ($canDelete && $isBellowVideoConfUploadPath);
+ */
+ $can_delete = ($can_delete && $is_bellow_videoconf_upload_path);
// get files list
$files = DocumentManager::get_all_document_data($_course, $cwd, 0, NULL, false);
printf("");
printf("");
foreach($files as $i)
+ {
if ($i["filetype"] != "folder")
+ {
continue;
+ }
else
{
- printf('%s%s%s', $i['path'],$i['title'],($canDelete?"true":"false"));
+ printf('%s%s%s', $i['path'],$i['title'],($can_delete?'true':'false'));
}
+ }
printf("");
foreach($files as $i) {
$extension = (strrpos($i['path'],'.')>0 ? substr($i['path'], strrpos($i['path'],'.'),10) : '');
- if ($i["filetype"] != "file" || !in_array($extension, $IMAGE_EXTENSION))
+ if ($i["filetype"] != "file" || !in_array($extension, $image_extension))
+ {
continue;
+ }
else
{
- printf('%s%s%s', $i['path'],$i['title'],($canDelete?"true":"false"));
+ printf('%s%s%s', $i['path'],$i['title'],($can_delete?'true':'false'));
}
}
printf("");
-// foreach($files as $i) {
- // FIXME: Please optimise me !!!
-// $extension = (strrpos($i['path'],'.')>0 ? substr($i['path'], strrpos($i['path'],'.'),10) : '');
-// if ($i["filetype"] != "file" || !in_array($extension, $PRESENTATION_EXTENSION))
-// continue;
-// else
-// {
-// printf('%s%s%s', $i['path'], $i['title'],($canDelete?"true":"false"));
-// }
-// }
-// printf("fr1fn1");
-
printf("");
printf("");
- } else if ($subaction == "delete") {/*
-==============================================================================
- PERMISSION
-==============================================================================
-*/
- $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq);
- if ($permissions != COURSEMANAGER)
+ }
+ else if ($subaction == "delete")
{
- if ($debug > 0) error_log("Upload from videoconf not allowed !!!",0);
- die(); // this user is not allowed to add upload documents
- }
-
-/*
-==============================================================================
- DELETE
-==============================================================================
-*/
- $path = $_REQUEST["path"];
+ /*==== PERMISSION ====*/
+ $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq);
+ if ($permissions != COURSEMANAGER)
+ {
+ if ($debug > 0) error_log("Upload from videoconf not allowed !!!",0);
+ die(); // this user is not allowed to add upload documents
+ }
+ /*==== DELETE ====*/
+ $path = str_replace('../','',$_REQUEST["path"]);
if ((substr($path,0,strlen(VIDEOCONF_UPLOAD_PATH)) != VIDEOCONF_UPLOAD_PATH))
{
if ($debug >0 ) error_log("Delete from videoconf for "+$path+" NOT ALLOWED",0);
die();
}
-
DocumentManager::delete_document($_course, $path, $coursePath);
echo "OK"; // We have to returns something to OpenLaszlo
}
-} else if ($action == "download")
+}
+else if ($action == "download")
{
-/*
-==============================================================================
- DOWNLOAD
-==============================================================================
-*/
+ /*==== DOWNLOAD ====*/
//check if the document is in the database
if(!DocumentManager::get_document_id($_course,$_REQUEST['file']))
{
@@ -307,11 +248,10 @@ if ($action == "upload")
echo($error404);
exit;
}
- $doc_url=$_REQUEST['file'];
+ $doc_url = str_replace('../','',$_REQUEST['file']);
if ($debug >0) error_log($doc_url);
$full_file_name = $coursePath.$doc_url;
DocumentManager::file_send_for_download($full_file_name,false);
exit;
}
-
-?>
+?>
\ No newline at end of file
diff --git a/main/webrooms/checksession.php b/main/webrooms/checksession.php
index f0b5a89b87..1dde1f0c18 100644
--- a/main/webrooms/checksession.php
+++ b/main/webrooms/checksession.php
@@ -1,57 +1,61 @@
0) error_log('New LP - Included learnpath',0);
require_once('../newscorm/learnpathItem.class.php');
+if($debug>0) error_log('New LP - Included learnpathItem',0);
require_once('../newscorm/scorm.class.php');
+if($debug>0) error_log('New LP - Included scorm',0);
require_once('../newscorm/scormItem.class.php');
+if($debug>0) error_log('New LP - Included scormItem',0);
require_once('../newscorm/aicc.class.php');
+if($debug>0) error_log('New LP - Included aicc',0);
require_once('../newscorm/aiccItem.class.php');
-require_once('get_translation.lib.php');
+if($debug>0) error_log('New LP - Included aiccItem',0);
include("../../main/inc/global.inc.php");
api_block_anonymous_users();
+//$confkey = "0123456789abcdef0123456789abcdef";
+$confkey = api_get_setting('service_visio','visio_pass');
+$challenge = api_generate_password(32); //generate a 32 characters-long challenge key
+
require_once (api_get_path(LIBRARY_PATH)."course.lib.php");
printf ('');
printf('');
printf('');
-if(count($_SESSION['course'])>0)
-{
- foreach ($_SESSION['_course'] as $key => $val)
- {
+foreach ($_SESSION['_course'] as $key => $val)
printf('<%s>%s',$key,utf8_encode($val),$key);
- }
-}
printf('');
printf('');
-if(count($_SESSION['_user'])>0)
-{
- foreach ($_SESSION['_user'] as $key => $val)
- {
- if ($key != "auth_source")
- {
- printf('<%s>%s',$key,utf8_encode($val),$key);
- }
- }
-}
+foreach ($_SESSION['_user'] as $key => $val) if ($key != "auth_source") printf('<%s>%s',$key,utf8_encode($val),$key);
printf('%s', session_id());
-printf('%s', (CourseManager::get_user_in_course_status($_SESSION['_user']['user_id'], $_SESSION['_course']['sysCode']) == COURSEMANAGER) ? "true" : "false");
+$isadmin =((CourseManager::get_user_in_course_status($_SESSION['_user']['user_id'], $_SESSION['_course']['sysCode']) == COURSEMANAGER)||api_is_platform_admin() ? "true" : "false");
+printf('%s', md5($confkey.$challenge));
+printf('%s', $challenge);
+printf('%s', $isadmin);
+printf('%s',($isadmin=='true' || $_SESSION["roomType"] == "conference")?'true':'false');
+printf('%s',($isadmin=='true' || $_SESSION["roomType"] == "conference")?'true':'false');
printf('');
printf('');
-printf(''.api_get_setting('service_visio','visio_rtmp_host_local').'');
-printf(''.api_get_setting('service_visio','visio_is_web_rtmp').'');
-printf(''.api_get_setting('service_visio','visio_rtmp_port').'');
-printf(''.api_get_setting('service_visio','visio_rtmp_tunnel_port').'');
+printf(''.api_get_setting('service_visio','visio_host').'');
+printf(''.api_get_setting('service_visio','visio_port').'');
printf('');
+$path = preg_replace('/^([^:]*:\/\/)/','',api_get_path(WEB_PATH));
+$path = str_replace('/','_',$path);
+printf('');
+printf('%s', $path);
+printf('%s', $_SESSION['roomType']); // fixme remove +
+printf('');
printf('');
@@ -69,8 +73,8 @@ if(isset($_SESSION['oLP']))
$document_id = $_SESSION['oLP']->current;
}
-printf(' %s',$student_view);
-printf(' %s',$document_id);
+printf('%s',$student_view);
+printf('%s',$document_id);
printf('');
printf('');
printf(get_language_file_as_xml($language_interface));
diff --git a/main/webrooms/get_translation.lib.php b/main/webrooms/get_translation.lib.php
index 6eae15ccf4..aa50e1fd19 100644
--- a/main/webrooms/get_translation.lib.php
+++ b/main/webrooms/get_translation.lib.php
@@ -1,4 +1,5 @@
'.$items[1].''.$string.''."\n";
}
}